Long reads

Why financial institutions must move quicker on quantum

Andersen Cheng

Andersen Cheng

Chairman, Post Quantum

For most people reading this, a functioning quantum computer will probably still feel quite fictional — an innovation that’s still light years away. There’s also the idea that, well, wouldn’t a functioning quantum computer be a good thing? Won’t a functioning machine, for example, be able to effectively analyse large or unstructured data sets, to have the technological power to react faster to market volatility?

Yes, most likely, but the price to pay is cryptography. As with most cybersecurity threats in this world, the banking and financial sector is firmly in the crosshairs of those looking to cause damage and harm. 

It’s not like there’s no recognition of the threat. For example, The Bank for International Settlements (BIS) recently said it was poised to onboard more central banks and private banks in a new phase of its project to ‘quantum-proof’ payment systems. However, the sector still lacks preparedness as a whole, begging the question: are we sleepwalking into a security crisis in financial services? 

The threat explained 

Timescale aside for a moment - everyone in the sector needs to recognise that the threat of a functioning cryptographically relevant quantum computer (CRQC) is absolute. It will break through the public-key encryption (PKC) used to protect us in virtually the entire digital world that we take for granted today. It means that data, no matter how secure it may be right now, will be vulnerable to a future attack on a scale never seen before.

In finance, this means that all client data, balance sheets, asset purchases, and money transfers will be left defenceless. For example, public asset records, preserved in ledgers like the Land Registry, serve as the basis for property ownership, mortgages, and related securities. As with private ledgers, encryption safeguards may be in place to protect these records. But an attacker with access to a functioning quantum machine could manipulate encrypted data, tamper with records, rewrite ownership of assets, and create fraudulent transactions. This would compromise the accuracy and transparency of these ledgers.

Some technologists claim blockchain would be the solution. However, virtually all blockchains are not quantum-safe and even if they all were, there is still a threat that current thinking cannot address.  Blockchain only provides immutability but not security.  It is not a preventative measure and will merely record beyond doubt and post-the-event that someone has stolen your assets. This is where hackers will come in to destroy the trust in the entire ecosystem. Having a quantum-safe identity solution is essential to ensure access to blockchained and other records is future-proof.

Just focusing on this moment of absolute vulnerability downplays the risk entirely. In reality, the threat quantum machines pose is already here today in the form of Harvest Now, Decrypt Later (HNDL) attacks. That is, sensitive data with a long shelf life - anything from Personal Identifiable Information (PII), to financial asset data - is being harvested by those intending to decrypt it once a sufficiently powerful quantum computer arrives. Evidence of this risk is demonstrated by the increasing frequency of data breaches and cyberattacks targeting financial institutions. 

Initial action, but does it go far enough? 

The industry has begun to take initial steps to tackle these issues. HSBC, for example, has piloted a quantum-secured metro network in London. The bank intends to use a quantum-secured metro network to evaluate secure transmission of data across standard fibrefiber-optic cables between its global headquarters at Canary Wharf in London's Docklands, and a datacenter 62km (38 miles) away in Berkshire. 

Last year, the BIS and two of Europe’s central banks established a channel that can protect financial data. Dubbed ‘Project Leap’, the BIS Innovation Hub Eurosystem Centre worked with the French and German central banks’ to design a channel that will use quantum-safeprotect cryptographic algorithms, which protect sensitive financial data from being penetrated by powerful quantum computers.

But even despite these projects making some progress, the sector must go further. Take the BIS project - at this stage, it only aims to quantum-proof edge-to-edge communications, or the parts of the communication chain that happen from the perimeter of the central bank, to the perimeter of another central bank. This is also called a ‘last-mile’ problem, and simply protecting communications from the edges of central banks, rather than end-to-end user protection, leaves an obvious target for an attacker. 

Interoperability is also another problem. Today, everybody uses the same encryption algorithms, but what happens when BIS wants to add more countries outside of France and Germany? We’ve already seen the likes of Germany opting for algorithms such as Classic McEliece, which is at odds with the Kyber algorithms selected by the National Institute of Standards and Technology (NIST) in the US. In essence, what might work and be interoperable for a link between two institutions will likely face implementation challenges when scaling across the multi-layered globalised payments infrastructure. 

Ultimately, what the BIS demonstrates is the huge scale of the challenge in front of financial institutions. Every database must be re-encrypted with future proof algorithms. All apps will have to be re-coded. This is not just a press of a button, and will take years, if not decades to complete if the entire sector is to be fortified. The bigger institutions will have the bandwidth and finances to take action - some indeed already have. But it will take a long time until we can say the sector is quantum-proof. 

An action plan for banks 

There is something to be said about the need for a greater push from regulators. For example, in the US, The Cybersecurity and Infrastructure Security Agency — tasked by Biden to solve the quantum problem — delegated authority over the financial sector response to the Treasury Department. Treasury's 2023 budget contains no explicit mention of quantum computing nor appropriations to plan, prepare, and respond. 

For now, it’s still in the hands of firms to take the initiative. What should you be doing? If you’re a major financial institution, it’s time to create your own end-to-end infrastructure that’s quantum-safe by design, where everything from your business processes to day-to-day communications is protected. This means thinking about everything from quantum-proofing your identity access management system, to using a quantum-safe VPN to protect communications across your business. And you don’t have to wait for NIST to ratify its algorithms or government mandates for this to happen. 

For example, IETF recently created a new VPN standard that helps specify how VPNs can exchange communications securely in the quantum age. The novel approach prioritises interoperability by making it possible for multiple post-quantum and classical encryption algorithms to be incorporated into VPNs, ensuring no disruption to the functioning of existing IT systems, and protecting data from attack by both classical and quantum computers.

At-risk organisations might also consider establishing secure end-to-end messaging infrastructures that they control and can quantum-proof today. Such an approach allows different business processes to be created within an end-to-end secure environment so critical data is verifiably quantum-safe throughout its lifecycle. 

Financial firms will be on the front line of quantum security. While action has been taken, I fear it’s not enough, and not quick enough. Without taking action and looking at tackling vulnerable infrastructure end-to-end, even those out in front will find themselves vulnerable in the coming years.  

What is the alternative? Start taking paper or out-of-band digital copies of all the key documents such as corporate registers and legal documentation, delegated signing authorities, customer reference data, and major transaction data to ensure you are ahead of the queue in making any claims or bailouts.

For those non-believers, we have actually seen a dry run of it before, in the form of COVID lockdowns.  Remember the time when everything was closed and nothing worked? We were lucky that most of us could still activate contingency plans and work remotely. Just imagine when Year-to-Quantum(Y2Q) arrives, you will not even have the communication means to execute your well thought through plan with your colleagues.

What is the alternative if you do not want to or are not in position to migrate? Start taking paper or out-of-band digital copies of all the key documents such as corporate registers and legal documentation, delegated signing authorities, customer reference data, and major transaction data to ensure you are ahead of the queue in making any claims or applying for government bailouts.

Comments: (0)